b"Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\xc2\xa0\n\n\n\n   Independent Evaluation Report\n         of FMC\xe2\x80\x99s FY 2010\n      Implementation of FISMA\n\n              A11-01\n\n\n\n\n          December 2010\n\n\nFEDERAL MARITIME COMMISSION\n\x0c                              FEDERAL MARITIME COMMISSION\n                                  Office of Inspector General\n                                 Washington, DC 20573-0001\n\n                                        December 15, 2010\n\n\nOffice of Inspector General\n\nChairman Lidinsky:\n\nLike all federal agencies, the FMC is becoming more dependent on information systems to carry\nout its regulatory mission. However such dependence increases the number and severity of\nthreats that can have adverse impacts on its operations, assets, and employees. Given the\npotential for harm that can arise from environmental disruptions, human errors and \xe2\x80\x9chacker\xe2\x80\x9d\nattacks, the FMC must place greater emphasis on the management of risk associated with its\ninformation systems as it carries out its mission. The cornerstone of any effort to manage\norganizational risk related to information systems is an effective information security program.\nTitle III of the E-Government Act of 2002, known as the Federal Information Security\nManagement Act (FISMA), was developed to provide a broad framework for information\nsecurity programs within the federal government.\n\nThe Office of Inspector General (OIG) has completed its independent evaluation of information\nsecurity pursuant to requirements contained in FISMA. This is the eighth annual evaluation\ncompleted by the OIG in the area of information and computer security.\n\nIn 2008, the Office of Information Technology (OIT) sought the assistance of an information\ntechnology contractor to perform a comprehensive assessment of its information security\nposture. The OIT received significant funding to address the identified weaknesses and\nvulnerabilities in its security program. In 2009, the contractor certified two of four agency\nsystems. Certification is a comprehensive assessment of information system controls to determine\nthe extent to which the controls are implemented correctly, operating as intended, and producing the\ndesired outcome with respect to meeting the security requirements of the system. The two remaining\nsystems did not undergo certification by the vendor. Rather, the agency planned to procure an\n\xe2\x80\x9coff-the-shelf\xe2\x80\x9d system to replace the two applications with plans to certify the new system after\ndevelopment.\n\nIn FY 2010, a new contractor began work on implementing an Enterprise Content Management\n(ECM) system with the goal of improving agency electronic document and records management\nand functional capabilities. However a dispute arose with the contractor regarding expectations\nand costs. Ultimately the dispute was resolved by agreement to terminate the contract. The\nagency intends to renew its procurement of an ECM - based on funding availability.\n\nAs a result two systems remain in production (i.e., operation) without assessment of risk to these\nsystems and the data each houses. The two systems are the agency\xe2\x80\x99s Form 1, an Internet-based\nform to collect tariff location addresses and other specific organizational information from\n\x0cconferences, ocean common carriers, transportation intermediaries and marine terminal\noperators; and Form 18, the agency\xe2\x80\x99s internet-based transportation intermediary license\napplication. Without developing certification and accreditation (C&A) packages for these\nsystems, FMC is unable to identify all of the risks that may be associated with operating these\nsystems. As a result, FMC data may be exposed to unknown vulnerabilities and may not have the\nsafeguards in-place to prevent unauthorized use, disclosure, and modification of FMC data.\n\nThe OIG contracted with Richard S. Carson and Associates to perform the independent\nevaluation of the FMC security program. The evaluation found that the FMC has taken steps to\nprotect the agency\xe2\x80\x99s systems \xe2\x80\x93 most important is the accreditation two years ago of its Network\nand SERVCON applications - and has made progress in mitigating weaknesses which led to the\nprior years\xe2\x80\x99 significant deficiencies concerning IT risk and recovery planning. It has\nimplemented an annual computer security awareness program with an interactive online course\nand a required assessment for all employees at completion. All FMC staff and contractors\ncompleted annual computer security awareness training by the end of FY 2010. The agency has\ntaken steps to monitor contractor systems used by the agency and to update its Incident Response\nPolicy to include breach-related procedures from the Office of Management and Budget.\n\nIn addition to two applications in production without accreditation, there are some deficiencies\nwith the C&A packages for the FMC Network and SERVCON. Further, the agency\xe2\x80\x99s plan of\naction & milestones process needs improvement; the FMC Network Domain Administrator\naccounts are not formally monitored and segregated; and configuration management\ndocumentation and practices are not adequate.\n\nFMC management cannot make credible, risk-based determinations for its systems in operation\nwithout a documented assessment and acceptance of risk to the organization. FMC management\nhas not demonstrated a fully functional risk management process, as prescribed by the National\nInstitute of Standards and Technology, and is not fully aware of the potential security control\nweaknesses in all of its systems.\n\nI am available to discuss the report\xe2\x80\x99s findings and recommendations at your convenience.\n\n                                             Respectfully submitted,\n\n\n\n\n                                             /Adam R. Trzeciak/\n                                             Inspector General\n\n\ncc:    Commissioners\n       Managing Director\n\x0c            Office of Inspector General\n\n          Independent Evaluation Report\n\n\n      Review of Federal Maritime Commission\n\n               Implementation of the\n\nFederal Information Security Management Act of 2002\n\n               For Fiscal Year 2010\n\n\n\n                 December 6, 2010\n\x0c                                                     Independent Evaluation of FMC Information Security Program\n\n\n\n\nEVALUATION SUMMARY\n\nIntroduction\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public\nLaw 107-347), which includes Title III, the Federal Information Security Management Act of\n2002 (FISMA). FISMA permanently reauthorized the framework laid out in the Government\nInformation Security Reform Act of 2000 (GISRA), which expired in November 2002. FISMA\noutlines the information security management requirements for agencies, including the\nrequirement for annual review and independent assessment by agency inspectors general. In\naddition, FISMA includes new provisions aimed at further strengthening the security of the\nfederal government\xe2\x80\x99s information and information systems, such as the development of\nminimum standards for agency systems. The annual assessments provide agencies with the\ninformation needed to determine the effectiveness of overall security programs and to develop\nstrategies and best practices for improving information security.\n\nThe Federal Maritime Commission\xe2\x80\x99s (FMC) Office of Inspector General (OIG) contracted with\nRichard S. Carson and Associates (Carson Associates) to perform an independent FISMA\nevaluation of the FMC security program, along with the OIG\xe2\x80\x99s portion of the Office of\nManagement and Budget (OMB) Reporting Template for FY 2010. This OIG Independent\nEvaluation Report, unlike the Reporting Template for inspectors general (IG), focuses on\nperformance measures, provides specific findings and, when applicable, recommendations for\nresolution.\n\nObjectives\n\nThe objectives of the independent evaluation of the FMC information security program are:\n\n   \xe2\x80\xa2   Task 1 \xe2\x80\x93 Evaluation of Information System and Security Program: Assess compliance\n       with FISMA and related information security policies, procedures, standards, and\n       guidelines using criteria and methodologies contained in the Government Accountability\n       Office (GAO) Federal Information System Controls Audit Manual (FISCAM), National\n       Institute of Standards and Technology (NIST) Information Processing Standards and\n       Special Publications (SP), and Office of Management and Budget (OMB) guidance. The\n       scope of this task includes the following:\n           o FMC Network\n           o SERVCON\n           o FORM-1\n           o FORM-18\n\n   \xe2\x80\xa2   Task 2 \xe2\x80\x93 Evaluation of Prior Recommendations: Review management actions to\n       implement the OIG recommendations.\n   \xe2\x80\xa2   Task 3 \xe2\x80\x93 Security Program Progress Review: An independent review of FMC\xe2\x80\x99s progress\n       in implementing an effective information security program.\n\n\n\n                                              i                                              December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\nThe results of our evaluations are presented in this Independent Evaluation Report, along with a\nnumber of recommendations to address vulnerabilities identified during the evaluation.\n\nOverview of Results\n\nFISMA section 3542(b) defines information security as \xe2\x80\x9c\xe2\x80\xa6 protecting information and\ninformation systems from unauthorized access, use, disclosure, disruption, modification or\ndestruction in order to provide (i) integrity\xe2\x80\x94guarding against improper information modification\nor destruction, and ensuring information nonrepudiation and authenticity; (ii) confidentiality\xe2\x80\x94\npreserving authorized restrictions on access and disclosure, including means for protecting\npersonal privacy and proprietary information; and (iii) availability\xe2\x80\x94ensuring timely and reliable\naccess to, and use of, information.\xe2\x80\x9d\n\nThe OIG found that the FMC\xe2\x80\x99s Office of Information Technology (OIT) has established security\nsafeguards to protect the agency\xe2\x80\x99s systems. For example, the agency conducts security\nawareness training to inform personnel, including contractors and other users of information\nsystems that support the operations and assets of the agency, of (i) information security risks\nassociated with their activities, and (ii) their responsibilities to comply with agency policies and\nprocedures designed to reduce these risks. FMC had appropriate policies and procedures\nimplemented and the process was operating effectively. However, other prescribed NIST and\nOMB methodologies have not been fully implemented, as detailed in this report.\n\nIn FY 2010, FORM-1 and FORM-18 continued to operate in a production environment without\nany documented assessment and acceptance of risk to the organization. Additionally, FMC has\nnot corrected weaknesses identified in FY 2008 and FY 2009, including the lack of a\ncomprehensive configuration management program. Further, no annual security control\nassessments or continuous monitoring was performed for any of the four FMC systems in FY\n2010.\n\nThe FMC certified and accredited (C&A) two systems in FY09, including its network, and has\nplans to make additional improvements in its security program while implementing an enterprise\ncontent management system that would replace FORM-1 and FORM-18, complete with a C&A\npackage. The FMC selected a contractor and is expected to complete the enterprise content\nmanagement system task in the future but has not provided a written target date for completion;\nlast year the OIG was told this would be completed by May 2010. The OIG will track the\nprogress of the IT security program throughout FY 2011 and will follow up on the\nrecommendations listed in this report in the OIG\xe2\x80\x99s FY 2011 FISMA evaluation.\n\nIn addition, the security evaluation team identified the following seven weaknesses during the\nFY 2010 FISMA evaluation:\n\n   \xe2\x80\xa2   Deficiencies with the FMC C&A packages for the FMC Network and SERVCON still\n       exist and annual assessments have not been conducted for these systems;\n   \xe2\x80\xa2   The FMC plan of action & milestones (POA&M) process still needs improvement;\n   \xe2\x80\xa2   FMC Network Domain Administrator accounts are not formally monitored and\n       segregated;\n\n\n                                                 ii                                             December 6, 2010\n\x0c                                                      Independent Evaluation of FMC Information Security Program\n\n\n\n\n   \xe2\x80\xa2   The FMC lacks an adequate Contingency Planning Program, to include policies,\n       procedures, testing and documentation of testing;\n   \xe2\x80\xa2   The FMC official system inventory is incomplete;\n   \xe2\x80\xa2   Oversight of third-party (service provider) systems need improvement; and\n   \xe2\x80\xa2   Configuration Management documentation and practices are not adequate.\nFMC management cannot make credible, risk-based determinations for its systems in operation\nwithout a documented assessment and acceptance of risk to the organization. FMC management\nhas not demonstrated a fully functional risk management process, as prescribed by the National\nInstitute of Standards and Technology, and is not fully aware of the potential security control\nweaknesses in its systems thereby leaving its information and systems vulnerable to attack or\ncompromise.\n\n\n\n\n                                               iii                                            December 6, 2010\n\x0c                                                                            Independent Evaluation of FMC Information Security Program\n\n\n\n\n                                                   TABLE OF CONTENTS\n\nEVALUATION SUMMARY ...................................................................................................... i\nBACKGROUND ................................................................................................................... 1\nOBJECTIVES...................................................................................................................... 1\nSCOPE AND METHODOLOGY ............................................................................................... 1\nDETAILED FINDINGS AND RECOMMENDATIONS ..................................................................... 3\xc2\xa0\n\n      AGENCY IMPLEMENTATION OF FISMA \xe2\x80\x93 FY 2010 REVIEW ............................................ 3\n\n           Notification of Finding # 1: Authorization (formerly C&A) packages have not\n           been completed for Form-1 and Form-18 systems. ............................................ 3\n\n           Notification of Finding # 2: Deficiencies with FMC Certification and Accreditation\n           (C&A) packages for FMC Network and SERVCON exist and annual\n           assessments have not been conducted for these systems in FY10. ................... 4\n\n           Notification of Finding # 3: The FMC Plan of Action & Milestones process is\n           inadequate. ....................................................................................................... 11\n\n           Notification of Finding # 4: FMC Network Domain Administrator accounts are not\n           formally monitored and segregated. .................................................................. 12\n\n           Notification of Finding # 5: FMC lacks an adequate Contingency Planning\n           Program to include policies, procedures, testing, and documentation of testing.\n           .......................................................................................................................... 14\n\n           Notification of Finding # 6: FMC official system inventory is incomplete. .......... 16\xc2\xa0\n\n           Notification of Finding # 7: Third-Party Oversight deficiencies. ......................... 18\n\n           Notification of Finding # 8: Configuration Management documentation and\n           practices are not adequate. ............................................................................... 19\n\n\n\n\n                                                                  iv                                                  December 6, 2010\n\x0c                                                      Independent Evaluation of FMC Information Security Program\n\n\n\n\nBACKGROUND\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public\nLaw 107-347), which includes Title III, the Federal Information Security Management Act of\n2002 (FISMA). FISMA permanently reauthorized the framework laid out in the Government\nInformation Security Reform Act of 2000 (GISRA), which expired in November 2002, and\noutlines information security management requirements for agencies, including the requirement\nfor annual review and independent assessment by agency inspectors general. In addition,\nFISMA includes provisions aimed at further strengthening the security of the federal\ngovernment\xe2\x80\x99s information and information systems, such as the development of minimum\nstandards for agency systems. The annual assessments provide agencies with the information\nneeded to determine the effectiveness of overall security programs and to develop strategies and\nbest practices for improving information security.\n\nOBJECTIVES\n\nThe objectives of the independent evaluation of the FMC information security program are as\nfollows:\n\n   \xe2\x80\xa2   Task 1 \xe2\x80\x93 Evaluation of Information System and Security Program: Assess compliance\n       with FISMA and related information security policies, procedures, standards, and\n       guidelines using criteria and methodologies contained in the Government Accountability\n       Office (GAO) Federal Information System Controls Audit Manual (FISCAM), National\n       Institute of Standards and Technology (NIST) Information Processing Standards and\n       Special Publications (SP), and Office of Management and Budget (OMB) guidance. The\n       scope of this task includes the following:\n           o FMC Network\n           o SERVCON\n           o FORM-1\n           o FORM-18\n\n   \xe2\x80\xa2   Task 2 \xe2\x80\x93 Evaluation of Prior Recommendations: Review management actions to\n       implement the OIG recommendations.\n   \xe2\x80\xa2   Task 3 \xe2\x80\x93 Security Program Progress Review: An independent review of FMC\xe2\x80\x99s progress\n       in implementing an effective information security program.\n\nSCOPE AND METHODOLOGY\n\nThe scope of this independent evaluation of the FMC fiscal year (FY) 2010 information security\nprogram included the following:\n\n   \xe2\x80\xa2   Overall Security Program Implementation\n   \xe2\x80\xa2   Certification & Accreditation (C&A) process and package reviews of the FMC Network\n       and SERVCON\n   \xe2\x80\xa2   Configuration Management\n   \xe2\x80\xa2   Contractor Oversight\n\n\n                                               1                                              December 6, 2010\n\x0c                                                     Independent Evaluation of FMC Information Security Program\n\n\n\n\n   \xe2\x80\xa2   Contingency Planning and Testing\n   \xe2\x80\xa2   POA&M Process\n   \xe2\x80\xa2   Security Awareness Training\n   \xe2\x80\xa2   Incident Response\nTo accomplish the review objectives, the OIG conducted interviews with Office of the Managing\nDirector staff, including the Chief Information Officer (CIO); Office of Information Technology\n(OIT) staff, including the Director of Information Technology and the Senior Information\nSystem Security Officer (ISSO); and other FMC personnel.\n\nThe team reviewed documentation provided by the FMC including C&A documentation and\ninformation security-related policies.\n\nAll analyses were performed in accordance with the following guidance:\n\n   \xe2\x80\xa2   Federal Information Security Management Act of 2002 (Public Law 107-347),\n       December 2002\n   \xe2\x80\xa2   Office of Management and Budget Memorandum M-10-15, Reporting Instructions for\n       the Federal Information Security Management Act and Agency Privacy Management,\n       April 21, 2010\n   \xe2\x80\xa2   OMB M-04-04, E-Authentication Guidance to Federal Agencies, December 2003\n   \xe2\x80\xa2   OMB Circular A-130, Transmittal Memorandum No. 4, Management of Federal\n       Information Resources, November 18, 2000\n   \xe2\x80\xa2   Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for\n       Security Categorization of Federal Information and Information Systems, February 2004\n   \xe2\x80\xa2   FIPS 200, Minimum Security Requirements for Federal Information and Information\n       Systems, March 2006\n   \xe2\x80\xa2   National Institute of Standards and Technology Special Publication 800-18, Revision 1,\n       Guide for Developing Security Plans for Information Technology Systems, February 2006\n   \xe2\x80\xa2   NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\n       Systems, August 2009\n   \xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems, July\n       2002\n   \xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, June\n       2002\n   \xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n       Information Systems, May 2004\n   \xe2\x80\xa2   NIST SP 800-60, Guide for Mapping Types of Information Systems to Security\n       Categories, August 2008\n   \xe2\x80\xa2   NIST SP 800-70, National Checklist Program for IT Products \xe2\x80\x93 Guidelines for Checklist\n       Users and Developers, September 2009\n   \xe2\x80\xa2   Quality Standards for Inspection issued in 2003 by the President\xe2\x80\x99s Council on Integrity\n       and Efficiency\n   \xe2\x80\xa2   President\xe2\x80\x99s Council on Integrity and Efficiency and the Executive Council on Integrity\n       and Efficiency FISMA Framework, September 2006\n   \xe2\x80\xa2   FMC/OIG audit guidance\n   \xe2\x80\xa2   FMC policies and procedures\n\n\n                                              2                                              December 6, 2010\n\x0c                                                       Independent Evaluation of FMC Information Security Program\n\n\n\n\nThe OIG performed fieldwork between July 7, 2010, and August 31, 2010, at the FMC\nheadquarters in Washington, DC.\n\nDETAILED FINDINGS AND RECOMMENDATIONS\n\nThe FMC has taken steps to enhance its information security program and address issues\nidentified in the 2006, 2007, 2008, and 2009 FISMA reports, including the following:\n\n   \xe2\x80\xa2   Creating C&A packages for the FMC Network and SERVCON.\n   \xe2\x80\xa2   Implementing and monitoring the annual computer security awareness program to\n       include providing an interactive online course with a required assessment for all\n       employees at completion. All FMC staff and contractors completed annual computer\n       security awareness training by the end of FY 2010.\n   \xe2\x80\xa2   Taking steps to implement contractor system oversight to ensure the information systems\n       meet government policies and regulations.\n   \xe2\x80\xa2   Updating the Incident Response Policy to include breach-related procedures from OMB\n       Memorandum M-07-16.\n   \xe2\x80\xa2   Taking steps to implement a POA&M process.\n\nAgency Implementation of FISMA \xe2\x80\x93 FY 2010 Review\n\nNotification of Finding # 1: Authorization (formerly C&A) packages have not been\ncompleted for Form-1 and Form-18 systems.\n\nFIPS 200, Minimum Security Requirements for Federal Information and Information\nSystems, identifies specific \xe2\x80\x9cminimum security requirements for federal information and\ninformation systems in seventeen security-related areas. Federal agencies must meet the\nminimum security requirements as defined herein through the use of security controls in\naccordance with NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems, as amended.\xe2\x80\x9d\n\nThe agency\xe2\x80\x99s systems Form-1 and Form-18 (FMC-18), which have been in the operational\nmaintenance phase of the system development life cycle for more than three (3) years, have not\nbeen assessed in accordance with NIST guidance and standards. Without this assessment the\nDesignated Authorizing Authority (DAA) is not provided a clear picture of risk associated with\nthese systems and has no foundation on which to base an accreditation decision upon. These\nsystems therefore remain non-compliant with the FISMA statute.\n\nFMC hired contractors during FY 2008 and FY 2009 to assist in the development of its IT\nsecurity program by first certifying and accrediting its systems, however, the contractor was\nissued a \xe2\x80\x9cstop work order\xe2\x80\x9d after completion of the FMC Network and SERVCON C&A\ndocumentation. Furthermore, an enterprise document management system is planned to be\nimplemented to replace the Form-1 and Form-18 systems.\n\n\n\n\n                                                3                                              December 6, 2010\n\x0c                                                                                           Independent Evaluation of FMC Information Security Program\n\n\n\n\nThe FMC\xe2\x80\x99s CIO has indicated that FMC will not perform certification and accreditation on these\nsystems since the intent of the FMC is to replace these applications with updated technology.\nAccording to the CIO, the effort to replace these platforms is ongoing and it would not be useful\nto invest resources around security for them.\n\nAs a result, FMC continues to allow Form-1 and Form-18 systems to operate in the FMC\nproduction environment without a formal authorization to operate and without knowing the full\nrisk that the systems pose to the FMC IT infrastructure.\n\nWithout developing accreditation (formerly C&A) packages for these systems, FMC is unable to\nidentify all of the risks that may be associated with operating these systems and therefore does\nnot have a foundation on which to base a risk based accreditation decision. As a result, FMC data\nmay be exposed to unknown vulnerabilities and therefore may not have the safeguard in-place to\nprevent unauthorized use, disclosure, and modification of FMC data. In addition, users may be\nentering data into these systems under the false assumption that the systems are compliant with\nfederal standards.\n\nRecommendation\n      1. Formally document plans for Form-1 and Form-18 system replacements that includes, but\n         is not limited to, explicit migration milestones and timelines.\n\nNotification of Finding # 2: Deficiencies with FMC Certification and Accreditation\npackages for FMC Network and SERVCON exist and annual assessments have\nnot been conducted for these systems in FY10.\n\nMemorandum M-10-15, FY 2010 Reporting Instructions for Federal Information Security\nManagement Act and Agency Privacy Management, states that certification and accreditation is\nrequired for all federal information systems. (p. 9).\n\nMemorandum M-04-04, E-Authentication Guidance to Federal Agencies, states that agencies\nare required to review new and existing electronic transactions to ensure that authentication\nprocesses provide the appropriate level of assurance 1 and assists agencies in determining their e-\ngovernment authentication needs. It establishes and describes four levels of identity assurance\nfor electronic transactions requiring authentication. Assurance levels also provide a basis for\nassessing Credential Service Providers on behalf of federal agencies.\n\nAgency business-process owners bear the primary responsibility to identify assurance levels and\nstrategies for providing them. This responsibility extends to electronic authentication systems.\n\n\n\n\n1\n  The authentication process is used to verify the identity of a user, process or device, often as a prerequisite to allowing access to resources in an\ninformation system.\n\n\n\n\n                                                                               4                                                            December 6, 2010\n\x0c                                                       Independent Evaluation of FMC Information Security Program\n\n\n\n\nTo successfully implement a government service electronically (or e-gorvernment), federal\nagencies must determine the required level of assurance in the authentication for each system.\nThis is accomplished through a risk assessment for each system, which identifies both the risks\nto the system and the likelihood of their occurrence.\n\nTo determine the appropriate level of assurance in the user\xe2\x80\x99s asserted identity, agencies must\nassess the potential risks, and identify measures to minimize their impact. Authentication errors\nwith potentially worse consequences require higher levels of assurance. Business process, policy\nand technology may help reduct risk. The risk from an authentication error is a function of two\nfactors: (i) potential harm or impact, and (ii) the likelihood of such harm or impact.\n\nAt the FMC, required assurance levels for electronic transactions are determined by assessing the\npotential impact, for example, the unauthorized release of sensitive information on the agency\nand public. Accoridng to OMB M-04-04, the potential impact of an unauthorized release ranges\nfrom low to high depending on the following criteria:\n\n       \xe2\x80\xa2   Low\xe2\x80\x94at worst, a limited release of personal, U.S. government sensitive, or\n           commercially sensitive information to unauthorized parties resulting in a loss of\n           confidentiality with a low impact as defined in FIPS PUB 199.\n\n       \xe2\x80\xa2   Moderate\xe2\x80\x94at worst, a release of personal, U.S. government sensitive, or\n           commercially sensitive information to unauthorized parties resulting in loss of\n           confidentiality with a moderate impact as defined in FIPS PUB 199.\n\n       \xe2\x80\xa2   High\xe2\x80\x94a release of personal, U.S. government sensitive, or commercially sensitive\n           information to unauthorized parties resulting in loss of confidentiality with a high\n           impact as defined in FIPS PUB 199.\n\nNIST SP 800-37, Recommended Security Controls for Federal Information Systems, May\n2004, states that periodic testing and evaluation of the effectiveness of information security\npolicies, procedures, practices, and security controls to be performed with a frequency depending\non risk, but no less than annually (p. 3). Also a C&A package shall contain an approved security\nplan, a security assessment report (ST&E), and a POA&M (p. 21). Additionally, SP 800-37\nstates that the assessment of risk and the development of system security plans (SSP) are two\nimportant activities in an agency\xe2\x80\x99s information security program that directly support security\naccreditation and are required by FISMA and OMB Circular A-130, Appendix III (p. 4).\n\nDocumentation should be produced that describes the process employed and the results obtained\n(p. 5). SP 800-37 also states that system security plans can include as references or attachments\nother important security-related documents such as risk assessments, contingency plans, privacy\nimpact assessments, incident response plans, security awareness and training plans, information\nsystem rules of behavior, configuration management plans, security configuration checklists,\nprivacy impact assessments, and system interconnection agreements (pp. 5, 21).\n\n\n\n\n                                                5                                              December 6, 2010\n\x0c                                                         Independent Evaluation of FMC Information Security Program\n\n\n\n\nOMB Guidance M-10-15, FY 2010 Repporting Instructions for the Federal Information\nSecuruty Management Act and Agency Privacy Management, states that for all non-national\nsecurity programs and systems agencies must follow NIST standards and guidance (p. 4).\n\nNIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information\nSystems, February 2006, requires the use of NIST SP 800-53 security controls in the\ndevelopment of the security plan (section 3.14, pp. 24-25). Once the security controls are\nselected and tailored and the common controls identified, agencies are to describe each control.\nThe description should contain (i) the security control title; (ii) how the security control is being\nimplemented or planned to be implemented; (iii) any scoping guidance that has been applied and\nwhat type of consideration; and (iv) indicate if the security control is a common control and who\nis responsible for its implementation (section 3.1.4, pp. 24-25).\n\nNIST SP 800-30, Risk Management Guide for Information Technology Systems, July 2002,\ndifferentiates security testing and evaluation (ST&E) from automated vulnerability scanning and\npenetration testing. The purpose of system security testing is to test the effectiveness of the\nsecurity controls of a system as they have been applied in an operational environment. In\ncontrast, the potential vulnerabilities identified by automated scanning may not represent real\nvulnerabilities in the context of the system environment. Similarly, penetration testing is used to\ntest the system from the viewpoint of a threat-source and to identify potential failures in the IT\nsystem protection schemes (section 3.3.2, pp. 17-18).\n\nNIST SP 800-34, Contingency Planning for Information Technology Systems, dated June\n2002, states that recovery strategies provide a means to restore information technology (IT)\noperations quickly and effectively following a service disruption. The strategies should address\ndisruption impacts and allowable outage times identified in the Business Impact Assessment\n(BIA). Several alternatives should be considered when developing the strategy, including cost,\nallowable outage time, security, and integration with larger organization-level contingency plans\n(section 3.1, p. 19).\n\nFederal Information Processing Standards Publication 199 (FIPS PUB 199), Standards for\nSecurity Categorization of Federal Information Systems, February 2004, provides standards\nfor categorizing information and information systems. Security categorization standards for\ninformation and information systems provide a common framework and understanding for\nexpressing security that promotes: (i) effective management and oversight of information\nsecurity programs, including the coordination of information security efforts throughout the\ncivilian, national security, emergency preparedness, homeland security, and law enforcement\ncommunities; and (ii) consistent reporting to the OMB and Congress on the adequacy and\neffectiveness of information security policies, procedures, and practices. Subsequent NIST\nstandards and guidelines will address the second and third tasks cited (section 1, p. 1).\n\nAgency officials shall use the security categorizations described in FIPS PUB 199 whenever\nthere is a federal requirement to provide such a categorization of information or information\nsystems. Additional security designators may be developed and used at agency discretion. State,\nlocal, tribal governments, as well as private sector organizations comprising the critical\n\n\n\n\n                                                  6                                              December 6, 2010\n\x0c                                                         Independent Evaluation of FMC Information Security Program\n\n\n\n\ninfrastructure of the United States may consider the use of these standards as appropriate\n(section 2, p. 1).\n\nFIPS PUB 200, Minimum Security Requirements for Federal Information and Information\nSystems, March 2006, specifies requirements for federal information and information systems in\nseventeen security-related areas. Federal agencies must meet the minimum security requirements\nas defined herein through the use of the security controls in accordance with NIST Special\nPublication 800-53, Recommended Security Controls for Federal Information Systems, as\namended.\n\nNIST SP 800-60, Guide for Mapping Types of Information Systems to Security Categories,\nVolumes I & II, August 2008, was developed to help agencies consistently map security impact\nlevels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor\nsensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission\nsupport, administrative). This guideline applies to all federal information systems other than\nnational security systems. National security systems store, process, or communicate national\nsecurity information (section 1.1 p. 1).\n\nCertification & Accedrediation Packages\n\nThe FMC did not perform annual security control assessments on its accredited systems (the\nFMC Network and SERVCON) in FY10. NIST encourages agencies to consider the C&A\npackage to be \xe2\x80\x9cliving\xe2\x80\x9d documents, and control assessments should be performed on an ongoing\nbasis to ensure that the system continues to operate at an acceptable security level.\n\nThe OIG-identified deficiencies in last year\xe2\x80\x99s C&A packages generally reamin uncorrected. The\nagency has addressed one review finding by matching the security categorizations for the FMC\nNetwork and SERVCON with the security categorizations listed in the POA&Ms. However,\nmost deficiencies noted remain uncorrected.\n\nWe reviewed the individual documents of each package to evaluate their adherence to other\nrelevant NIST and OMB guidance. The C&A packages contained a privacy impact assessment,\nsecurity plan, risk assessment, certification and accreditation statements, POA&M, FIPS 199\nsystem categorization, contingency plan, system test and evaluation, configuration management\nplan, e-authentication risk assessment and security control assessment.\n\nContinuous Monitoring\n\nVulnerability scanning includes scanning for specific functions, ports, protocols, and services\nthat should not be accessible to users or devices and for improperly configured or incorrectly\noperating information flow mechanisms. Vulnerability scans were conducted on the FMC\nNetwork and SERVCON on August 2, 2010, to partially comply with NIST guidance for\ncontinuous monitoring.\n\nNothwithstanding vulnerability scans, no evidence was provided to indicate that annual security\ncontrol assessments were conducted in accordance with NIST SP 800-53A on these systems in\n\n\n                                                  7                                              December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\nFY10 as required by NIST SP 800-37. A security control assessment is more than a scan; it is\nalso includes the testing and/or evaluation of the management, operational and technical security\ncontrols in an information system to determine the extent to which the controls are implemented\ncorrectly, operating as intended, and producing the desired outcome with respect to meeting the\nsecurity requirements for the system.\n\nSecurity Plans\n\nWhile the FMC Network and SERVCON security plans were generally compliant with NIST SP\n800-18 guidance, review of the security plans last year found that sections of the security plans\nwere either not completed or completed incorrectly. In its response to the recommendation last\nyear, management indicated that its System Security Plans (SSP) were completed according to\nNIST SP 800-18. However, we noted the following deficiencies again in FY10 that fall short of\nNIST SP 800-18 requirements:\n\n       \xe2\x80\xa2   The security plans (and C&A packages) do not contain unique identifiers for each\n           system.\n       \xe2\x80\xa2   Certifying Agent (CA) and Designated Approving Authority (DAA) titles are not\n           clearly identified as required by NIST SP 800-37.\n       \xe2\x80\xa2   E-mail addresses for key personnel are not provided.\n       \xe2\x80\xa2   Minor applications are not identified, nor is there a statement that there are no minor\n           applications associated with the general support system (FMC Network).\n       \xe2\x80\xa2   A list of user organizations was not provided (This may not be an issue based upon\n           the size of FMC, but there was no clear discussion of the user community). Presently,\n           this section and related table identifies switches, e-mail systems, firewalls, and\n           gateways used by the applications.\n       \xe2\x80\xa2   There is no discussion of interconnections between systems. Specifically, there\n           should be a list of systems that share data between applications. If there are none, this\n           should be stated in the security plan in the appropriate section.\n       \xe2\x80\xa2   Security plans for systems processing privacy act information did not include the\n           number and title of the system(s) of record and whether the system(s) is used for\n           computer-matching activities.\n       \xe2\x80\xa2   Common controls were not specifically identified, although common controls were\n           identified in the risk assessments.\n       \xe2\x80\xa2   Signature and date fields were blank on the approval sheets in the copies of the\n           security plans provided. Additionally, the names of personnel listed as the signatories\n           did not match the individuals who signed the C&A statements.\nNo system security plan updates were made in FY10. Therefore the deficiencies remain\nuncorrected.\n\nRisk Assessments\n\nReview of the FMC Network and SERVCON risk assessments found the risk assessments were\ngenerally based upon SP 800-30 and addressed most of the areas covered by the guidance,\nincluding the risk assessment approach, system security categorization, threats, and a detailed\n\n\n                                                 8                                              December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\nanalysis. The FMC Network risk assessment was completed on May 26, 2009, and the\nSERVCON risk assessment was completed on May 27, 2009, as part of the C&A effort.\nHowever, the following deficiencies were identified in last year\xe2\x80\x99s review and continue to exist:\n\n       \xe2\x80\xa2   Accreditation boundaries for the risk assessment, which define the scope of the C&A\n           packages, were not clearly defined. For example, all components of the information\n           system to be authorized for operation by the authorizing official were not clearly\n           defined.\n       \xe2\x80\xa2   System and data owners were not clearly identified in the Network Risk Assessment;\n           the data owner was not clearly identified in the SERVCON Risk Assessment.\n\nParts of the documents were incomplete. Specifically, the System Management Roles and the\nSystem User Group and Access tables are incomplete in each risk assessment. These tables list\nthe roles and access levels for IT and other user groups in an effort keep them appropriately\nsegregated.\n\nNo annual security control testing for either system was performed in FY10 and no risk\nassessments were performed as required by NIST SP 800-30.\n\nE-Authentication Risk Assessments\n\nOMB Memorandum 04-04, E-Authentication guidance to Federal Agencies, describes four\nidentity authentication assurance levels for e-government transactions. In this context, assurance\nis the level of confidence that the individual who uses a credential or password is the individual\nto whom the credential (or password) was issued. There are four assurance levels:\n\n   \xe2\x80\xa2   Level 1: Little or no confidence in the asserted identity\xe2\x80\x99s validity;\n   \xe2\x80\xa2   Level 2: Some confidence in the asserted identity\xe2\x80\x99s validity;\n   \xe2\x80\xa2   Level 3: High confidence in the asserted identity\xe2\x80\x99s validity; and\n   \xe2\x80\xa2   Level 4: Very high confidence in the asserted identity\xe2\x80\x99s validity.\n\nOIT performed an E-authentication risk assessment on FMC\xe2\x80\x99s SERVCON that concluded the\nsystem requires a Level 2 authentication. However, OIT also categorized SERVCON as a high\nimpact system during the FIPS 199 required categorization, meaning that a breach or\nunauthorized access or loss of data might cause a \xe2\x80\x9csevere or catastrophic\xe2\x80\x9d adverse effect on the\nagency\xe2\x80\x99s operations, assets or individuals.\n\nIt is inconsistent to have a level 2 assurance level for a system that has been categorized at a high\nimpact level for data confidentiality in accordance with FIPS 199. Systems with high impact\nlevels, as is the case regarding SERVCON, require Level 4 authentication.\n\nC&A Letters\n\nReview of the document found that certification and authorization to operate statements (C&A\nletters) dated June 4, 2009, for the FMC Network and SERVCON were contained in each\ndocument. However, the C&A letters identified the following minor deficiencies:\n\n\n                                                 9                                              December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\n       \xe2\x80\xa2   The CIO is not clearly identified as the Designated Approving Authority.\n       \xe2\x80\xa2   The Information System Security Officer signed the certification statement as the\n           Authorizing Official instead of the Certifying Agent, which would appear to be a\n           conflict of interest because of a lack of segregation of duties (i.e., the same individual\n           responsible for ensuring the security control and risk assessments are performed is\n           also formally accepting the risk of operating the system in the production\n           environment based on those same results).\n       \xe2\x80\xa2   The certification statement does not mention the contractors who operated as\n           independent certification agents, as required by NIST SP 800-53 for \xe2\x80\x9cmoderate\xe2\x80\x9d and\n           \xe2\x80\x9chigh\xe2\x80\x9d categorized systems.\n\nFIPS 199 Security Categorization\n\nThe security categorizations were completed for the FMC Network and SERVCON.\n\nContingency Plans\n\nContingency plans were developed for the FMC Network (dated May 18, 2009) and SERVCON\n(dated March 19, 2009). Our FY10 review of the completed FMC Network and SERVCON\ncontingency plans revealed that:\n\n       \xe2\x80\xa2   Alternates to team leads are not identified for the FMC Network contingency plan.\n       \xe2\x80\xa2   The phone trees for the contingency plans are incomplete for the FMC Network\n           contingency plan.\n       \xe2\x80\xa2 Contact information for alternates to team leads is incomplete.\n       \xe2\x80\xa2 The contingency plans did not include service level agreements.\n       \xe2\x80\xa2 A Business/Mission Impact Analysis has not been completed for each system.\nMost conditions identified last year remained in FY10. Further, no contingency plan updates for\ncontact information were conducted in FY10.\n\nThe contractor completed the C&A documentation; however, the documentation does not fully\ncomply with NIST guidance.\n\nAnnual security control assessments were not performed for SERVCON and the general support\nsystem (GSS). OIT officials believe that control assessments from FY09 were sufficient and that\ncontrol assessments in FY10 were unnecessary notwithstanding federal requirements that\nmandate annual testing.\n\nIT threats and vulnerabilities change continuously. To conclude that annual testing is\nunnecessary fails to recognize this reality. Without developing and maintaining comprehensive\nC&A packages for all systems, FMC is unable to identify all of the security vulnerabilities\nassociated with operating their systems. Additionally, without the appropriate FMC personnel\nbeing made aware of the risk associated with the system operating in the FMC production\nenvironment and formally accepting the risks, the FMC data being processed, stored, or\ntransmitted by these production systems may be exposed to unknown risks.\n\n\n                                                 10                                             December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\nRecommendations\n\nMost of these conditions have existed over the past two (2) FISMA engagements. Therefore, we\nare repeating the recommendations from the prior FISMA review. We recommend OIT:\n\n   2. Clearly identify the Certifying Agency, Designated Approving Authority, and system\n      owner in the security plans and C&A documentation in accordance with NIST SP 800-37\n      as amended.\n   3. Conduct complete risk assessments on accredited FMC systems (FMC Network and\n      SERVCON). Define accreditation boundaries. Ensure that risk assessments are complete\n      in accordance with NIST SP 800-30 as amended.\n   4. Conduct control assessments in accordance with FIPS 200, NIST SP 800-53 as amended,\n      and NIST SP 800-37 as amended.\n   5. Complete the Authority to Operate letters with the correct information and titles.\n   6. Correct the e-authentication risk assessment for SERVCON. SERVCON requires Level 4\n      authentication.\n\nNotification of Finding # 3: The FMC Plan of Action & Milestones process is\ninadequate.\n\nOMB Memorandum 04-25, FY 2004 Reporting Instructions for the Federal Information\nSecurity Management Act defines a POA&M as a tool identifying tasks that need to be\naccomplished. It details resources required to accomplish the elements of the plan, any\nmilestones in meeting the task, and scheduled completion dates for the milestones. The purpose\nof a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the\nprogress of corrective efforts for security weaknesses found in programs and systems.\n\nA POA&M can be thought of as a blueprint for prioritizing and tracking corrective actions.\n\nReview of the FMC Network and SERVCON POA&Ms found that POA&M action items came\nfrom various sources such as system security plan findings, the office of Equal Employment\nOpportunity, Office of Operations, and the Office of the Managing Director.\n\nOMB Memorandum 04-25, also requires agencies to prepare POA&Ms for all programs and\nsystems where an IT security weakness has been found. The guidance directs CIOs and agency\nprogram officials to develop, implement, and manage POA&Ms for all programs and systems\nthey operate and control (e.g., for program officials this includes all systems that support their\noperations and assets). Additionally, program officials should regularly (at least quarterly and at\nthe direction of the CIO) update the agency CIO on their progress to enable the CIO to monitor\nagency-wide remediation efforts and provide the agency\xe2\x80\x99s quarterly update to OMB.\nMemorandum 04-25 also provides instructions on how POA&Ms should be structured and\nmaintained (pp. 14-15).\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, dated August 2009, states that control MP-3 requires organizations\nto mark, in accordance with organizational policies and procedures, removable information\n\n\n                                                 11                                             December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\nsystem media and information system output indicating the distribution limitations, handling\ncaveats, and applicable security markings (if any) of the information.\n\nFMC developed POA&Ms in FY09 for the FMC Network and FMC SERVCON. The POA&M\ndocuments generally contain the required elements as identified in OMB guidance. However, the\nagency has not completed POA&Ms properly. The OIG found that ID numbers are not assigned\nto POA&M items for either system. Most importantly, the review also found that the resources\nrequired to complete the task were not identified, and the milestones with completion dates were\nnot identified. Without resource requirements and target dates to hold officials accountable, the\nPOA&Ms become little more than a \xe2\x80\x9cto-do\xe2\x80\x9d list that is addressed on a \xe2\x80\x9cwhen time is available\nbasis.\xe2\x80\x9d\n\nThrough inspection of the documentation and interviews with OIT staff, the OIG determined that\nthe OIT staff has minimally utilized the FMC Network and SERVCON POA&Ms. That is, no\ntasks have been added over the past year, and only one low-risk item (Voice Over Internet\nProtocol (VOIP) now implemented) has been closed for each system respectively. The FMC had\na total of 60 POA&M items in FY09 and 59 in FY10 for the Network and SERVCON\nrespectively. Most of these open POA&M items have scheduled completion dates of 2009.\n\nThrough inspection of the documentation and interviews with OIT staff, the OIG determined that\nthe OIT staff have minimally utilized the FMC Network and SERVCON POA&Ms, but have not\nallocated sufficient resources to implement a more effective POA&M process.\n\nWithout an effective POA&M process, including the tracking of resources required to complete\ntasks and milestones with completion dates, it is more difficult for the agency to identify and\nprioritize weaknesses or track the status of the corrective actions being taken to resolve identified\ndeficiencies. This could lead to vulnerabilities not being corrected and the continued exposure of\nFMC systems to higher levels of risk.\n\nRecommendations\n\nWith regard to systems that will be retained, FMC OIT should develop and document an OMB-\ncompliant POA&M process (i.e., one that closes POA&M items more efficiently and reduces the\nrisk to sensitive FMC information).\n\nIn summary FMC OIT should:\n\n   7. As recommended in FY09, develop a POA&M process for systems that will be retained\n      complete the POA&Ms in accordance with current OMB and NIST guidance, and\n      maintain evidence of the closure of each item.\n\nNotification of Finding # 4: FMC Network Domain Administrator accounts are not\nformally monitored and segregated.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, dated August 2009, recommends that organizations shall:\n\n\n                                                 12                                             December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\n   \xe2\x80\xa2   Establish and administer privileged user accounts in accordance with a role-based access\n       scheme that organizes information system and network privileges into roles; and tracks\n       and monitors privileged role assignments.\n   \xe2\x80\xa2   Employ the concept of least privilege, allowing only authorized accesses for users (and\n       processes acting on behalf of users) that are necessary to accomplish assigned tasks in\n       accordance with organizational missions and business functions.\n   \xe2\x80\xa2   Review and analyze information system audit records at an organization-defined\n       frequency for indications of inappropriate or unusual activity, and report findings to\n       designated organizational officials.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, dated August 2009, also recommends that the information system\nprotects against an individual falsely denying having performed a particular action.\n\nFMC has stated that only the senior network engineer has access to the domain administrator\naccount and that the password to this account is locked in a safe. This permits the administrator\nto perform actions without being accountable for those actions because the domain administrator\naccount is not assigned to a specific individual. In addition, because the administrator is the only\nperson who knows the administrator authenticators, she/he constitutes a single point of failure.\nFor example, should the administrator become unavailable for any reason FMC would be unable\nto continue IT operations effectively.\n\nThe creation of an administrator group and the assignment of administrator privileges to\nindividuals under this group permits administrators to perform activities that can be traced\ndirectly back them. This is an industry best practice and OIT officials told us that the FMC\nemploys this practice with four FMC administrators. However, allowing any administrator using\nthe Domain Administrator Account, which does not reside under this group except under the\nmost controlled circumstances, permits the administrator to perform those activities without\nbeing held accountable. This is because the Domain Administrator Account cannot be\nunequivocally assigned to one person in a manner that allows the system logs to identify a\nspecific individual within the log files themselves. Accountability for the use of this account\nmust be established and tracked by other means.\n\nAs was the case in FY09, a formal process for segregating and monitoring user and privileged\naccounts, including the Domain Administrator account, is not implemented.\n\nIn its FY09 response to this recommendation, management told the OIG that it was developing a\nprocess by which every 90 days the domain administrator account password would be manually\nchanged and physically secured in a designated location so it is only available in authorized and\ndocumented network changes and/or emergencies. This process will be in place by the end of the\nfirst quarter of fiscal year 2010. In this report, management continued as follows: \xe2\x80\x9c[FMC OIT]\nrealize[s] the need for a proactive network access monitoring process and will seek to identify a\nhardware or software solution that will allow the ISSO the ability to receive alerts based on\npredetermined criteria relating to network access. This process will be in place by the end of the\nthird quarter of fiscal year 2010.\xe2\x80\x9d\n\n\n\n\n                                                 13                                             December 6, 2010\n\x0c                                                         Independent Evaluation of FMC Information Security Program\n\n\n\n\nThe cause, as communicated by management for the last three years, for utilizing the domain\nadministrator account for performing administrative duties is that it is not practical to follow\nindustry best practice to log each use. The FMC also informed the OIG that informal monitoring\nby the ISSO is performed on a monthly basis; therefore, a formal monitoring process is not\nnecessary.\n\nWithout changing the password of the FMC Network domain administrator account, and\nrestricting access to the password so that it is only available for authorized and documented\nnetwork changes and/or emergencies, there is no assurance of accountability and there exists a\npotential single point of failure. Further, without appropriately monitoring usage of the\nprivileged FMC Network account(s), authorized and unauthorized changes to the network may\noccur without the necessary accountability, which may affect the overall confidentiality,\nintegrity, and availability of the system.\n\nRecommendations\n\nWe recommend OIT \xe2\x80\x93\n   8. Review and implement FMC\xe2\x80\x99s policies and procedures (and, if determined necessary, hardware\n      and/or software) for the ISSO to monitor the actions of all FMC Network user, and privileged\n      (super user) accounts such as the top tier Domain Administrator Account and the administrator\n      accounts under the Domain Administrator Group.\n\n   9. The FMC Network Domain Administrator user account should be changed in accordance with\n      FMC password policy, and physically secured to restrict its access. The CIO or his designated\n      representative should control the access and use of the password so that this password is only\n      made available for authorized and documented network changes and/or emergencies. This would\n      ensure accountability and avoid any potential for a single point of failure. The process for\n      handling the FMC Domain Administrator account should be documented.\n   10. If regular Domain Administrator Account use is deemed necessary without employing the\n       recommended procedures or other means that effectively enforces user accountability, FMC\n       should:\n            a. Document the reason for this need.\n            b. Perform a risk assessment in accordance with NIST SP 800-30 to determine the level of\n              risk associated with this practice.\n            c. Develop a stand-a-lone document, or update the FMC LAN system security plan to reflect\n              the acceptance of risk.\n            d. The designated approval authority for the FMC LAN should accept responsibility for the\n              risk associated with this practice in writing.\n\nNotification of Finding # 5: FMC lacks an adequate Contingency Planning\nProgram to include policies, procedures, testing, and documentation of testing.\n\nAccording to NIST SP 800-34, Contingency Planning for Information Technology Systems,\ndated June 2002, recovery strategies provide a means to restore IT operations quickly and\neffectively following a service disruption. The strategies should address disruption impacts and\n\n\n                                                    14                                           December 6, 2010\n\x0c                                                       Independent Evaluation of FMC Information Security Program\n\n\n\n\nallowable outage times identified in the Business Impact Assessment (BIA). Several alternatives\nshould be considered when developing the strategy, including cost, allowable outage time,\nsecurity, and integration with larger, organization-level contingency plans.\n\nThe selected recovery strategy should address the potential impacts identified in the BIA and\nshould be integrated into the system architecture during the design and implementation phases of\nthe system life cycle. The strategy should include a combination of methods that complement\none another to provide recovery capability over the full spectrum of incidents. A wide variety of\nrecovery approaches may be considered. The appropriate choice depends on the incident, type of\nsystem, and its operational requirements. Specific recovery methods further described in section\n3.4.2 should be considered and may include commercial contracts with cold-, warm-, or hot-site\nvendors, mobile sites, mirrored sites, reciprocal agreements with internal or external\norganizations, and service level agreements (SLA) with the equipment vendors. In addition,\ntechnologies such as Redundant Arrays of Independent Disks, automatic fail-over,\nuninterruptible power supply, and mirrored systems should be considered when developing a\nsystem recovery strategy.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, dated August 2009, states that organizations shall test and/or\nexercise the contingency plan for the information system to determine the plan\xe2\x80\x99s effectiveness\nand the organization\xe2\x80\x99s readiness to execute the plan and that organizations shall provide for the\nrecovery and reconstitution of the information system to a known state after a disruption,\ncompromise, or failure.\n\nFMC took part in the Federal Emergency Management Agency\xe2\x80\x99s Eagle Horizon 2009 continuity\nmandatory exercise for all federal executive branch departments and agencies. Additionally,\naccording to an e-mail message from the FMC Director of OIT, a test in FY 2010 focused on the\nfollowing items: reconfigured continuity of operations site primary domain controller, tested\nconnectivity to FMC domain, tested replication of data, tested remote/Virtual Private Network,\napplication access, telephone service, and e-mail access in the event of a disruption. However,\nbased upon review of the contingency plans and documentation provided, the following\nconditions were noted:\n\n   \xe2\x80\xa2   FMC does not have documented contingency planning policies and procedures for\n       identifying the frequency of testing, types of testing, and preparing and updating of\n       contingency documentation;\n   \xe2\x80\xa2   The following FMC applications have not been tested:\n           o SERVCON\n           o Form-1\n           o Form-18 (FMC-18)\n   \xe2\x80\xa2   The following systems do not have contingency plans:\n           o Form-1\n           o Form-18 (FMC-18)\n   \xe2\x80\xa2   The FMC Network contingency plan test in 2010 and results documentation do not\n       adequately test or document the FMC Network contingency plan. No information was\n       available to describe the scenario that was being tested. Testing appeared to concentrate\n\n\n                                                15                                             December 6, 2010\n\x0c                                                       Independent Evaluation of FMC Information Security Program\n\n\n\n\n       on determining if the applications were working, e-mail could be sent, or the Internet\n       could be accessed. No recommendations or lessons learned were identified.\n\nAs was the case in FY09, FMC has not allocated the necessary resources to create a fully\nfunctional contingency planning program to include appropriate testing and documentation of the\ntesting.\n\nDelays, confusion, and the potential introduction of vulnerabilities when recovering from a\nsystem failure are likely when contingency plans are incomplete and have not been tested. Not\ntesting contingency plans could result in errors or incorrect steps being embedded in the security\nplan, which could further hinder the recovery process.\n\nRecommendations\n\nWe are repeating the following recommendation made in FY09:\n\n   11. Develop a contingency plan policy and procedures that address the creation, review,\n       testing, and maintenance of contingency plans. Test contingency plans and document\n       results in accordance with NIST SP 800-34 and NIST SP 800-53.\n\nNotification of Finding # 6: FMC official system inventory is incomplete.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, dated August 2009, states that control (CM-8) requires\norganizations to develop, document, and maintain an inventory of information system\ncomponents that meet the following requirements:\n\n   \xe2\x80\xa2   Accurately reflects the current information system;\n   \xe2\x80\xa2   Is consistent with the authorization boundary of the information system;\n   \xe2\x80\xa2   Is at the level of granularity deemed necessary for tracking and reporting;\n   \xe2\x80\xa2   Includes organization-defined information deemed necessary to achieve effective\n       property accountability; and\n   \xe2\x80\xa2   Is available for review and audit by designated organization officials.\n\nThe FISMA states the following:\n\n        \xe2\x80\x98\xe2\x80\x98(c) INVENTORY OF MAJOR INFORMATION SYSTEMS\xe2\x80\x94(1) The head of each\n        agency shall develop and maintain an inventory of major information systems (including\n        major national security systems) operated by or under the control of such agency.\xe2\x80\x9d\n        \xe2\x80\x9c(2) The identification of information systems in an inventory under this subsection shall\n        include an identification of the interfaces between each such system and all other\n        systems or networks, including those not operated by or under the control of the\n        agency.\xe2\x80\x9d\nThe following condition also existed in FY09:\n\n\n\n                                                16                                             December 6, 2010\n\x0c                                                      Independent Evaluation of FMC Information Security Program\n\n\n\n\nDuring FY 2008, OIT hired contractors to create a security program and to certify and accredit\nFMC\xe2\x80\x99s systems. The contractors distributed inventory forms to all FMC departments to identify\nthe systems in operation. The returned forms became the \xe2\x80\x9cFMC inventory.\xe2\x80\x9d In addition to the\nFMC Network and SERVCON systems, which the contractor created C&A packages for, the\nforms were returned from each FMC department and identified the following systems:\n\n   o   BEAA\n   o   BOE Index\n   o   e-agreements\n   o   Form-1\n   o   Form-18 (FMC-18)\n   o   OIG\n   o   PIERS\n   o   SERVCON (External)\n   o   Training\nA complete inventory, in addition to simply identifying systems, must contain IT system\ninterfaces according to FISMA. An interface is a common interconnection between systems by\nwhich equipment or programs communicate information from one system to another.\n\nAdditionally, the following systems, which were identified in the system inventory under the\nheading Database System Inventory Assets, did not have C&A packages and were not identified\nin the official system inventory as subsystems under the GSS:\n\n   o   BEAA\n   o   eAgreements\n   o   PIERS\n   o   Training\n   o   BOE Index\n   o   OIG\nThrough inspection of the documentation and interviews with OIT staff, it was determined that\nthe OIT staff was relying on documentation produced and distributed by the contractor.\n\nThe inventory does reflect a hirarchtical structure that clearly depicts which systems are major\napplications that require an accreditation (formerly C&A) packages from the systems which are\nminor applications that reside under a major application.\n\nWithout documenting and implementing an effective inventory process, FMC management may\nnot be aware of all FMC systems in operation in the IT environment. Without the official system\ninventory being consistent with the authorization boundaries of the information systems and\nwithout diagrams detailing system interconnections, FMC may not scope and tailor the security\ncontrols for each system correctly.\n\n\n\n\n                                                17                                            December 6, 2010\n\x0c                                                        Independent Evaluation of FMC Information Security Program\n\n\n\n\nRecommendations\n\nWe recommend OIT \xe2\x80\x93\n\n   12. Complete and maintain an official system inventory of all FMC systems and interfaces.\n   13. Organize the FMC inventory in a hierarchal fashion (i.e., which systems are subordinate\n       to the GSS).\n\nNotification of Finding # 7: Third-Party Oversight deficiencies.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, dated August 2009:\n\n   \xe2\x80\xa2   Requires that providers of external information system services comply with\n       organizational information security requirements and employ appropriate security\n       controls in accordance with applicable federal laws, Executive Orders, directives,\n       policies, regulations, standards, and guidance.\n   \xe2\x80\xa2   Defines and documents government oversight and user roles and responsibilities with\n       regard to external information system services.\n   \xe2\x80\xa2   Requires organizations to monitor security control compliance by external service\n       providers.\n\nWe requested a copy of the documented FMC methodology for performing oversight and\nevaluation on contractor systems and systems hosted at other government agencies and were\ninformed that none existed. Also SLAs and contracts were not provided for all systems.\n\nOIT did not know the answers to the following items:\n\n   \xe2\x80\xa2   The number of contractor systems that service FMC by FIPS 199 category\n   \xe2\x80\xa2   The number of contractor systems that service FMC by C&A status\n   \xe2\x80\xa2   The number of contractor systems that service FMC by whether annual testing occurred\n   \xe2\x80\xa2   The number of contractor systems that service FMC by whether a tested contingency plan\n       exists\n   \xe2\x80\xa2   The number of agency-owned and contractor systems that service FMC assessed at e-\n       authentication levels 3 or 4\n\nOversight methodology should be included in a SLA with the external service provider. The\ngovernment Contracting Officer's Technical Representative reserves the right to verify that the\ncontractor is complying with the contract. At the defined frequency for this process (to be at least\nonce a year), FMC should meet with the contractor and, if necessary, create findings on the\nPOA&M. A document/memo should be created each time that oversight is performed.\n\nThe Authority to Operate (ATO), Interconnection Security Agreement (ISA), and Memorandum\nof Understanding (MOU) between FMC and the Bureau of Public Debt (BPD) have all expired\nas of FY09. The ATO, ISA, and MOU between FMC and the National Finance Center (NFC)\n\n\n                                                 18                                             December 6, 2010\n\x0c                                                       Independent Evaluation of FMC Information Security Program\n\n\n\n\nwere current. We noted that the ATO and MOU between FMC and OPM for eOPF were current.\nHowever, the ISA between FMC and OPM was not provided.\n\nThe FMC informed the OIG that it is not FMC\xe2\x80\x99s responsibility to perform these monitoring\nactivities. However according to NIST 800-53, oversight of third parties is a responsibility of\nFMC.\n\nWithout appropriately monitoring security control compliance by external service providers, the\nrisk of security incidents increases that could potentially affect the overall confidentiality,\nintegrity, and availability of the FMC data shared with an external system.\n\nRecommendations\n\nWe recommend that FMC:\n\n   14. Define and document policies and procedures for an oversight methodology of external\n       information system services with contractors. At the defined frequency for this process\n       (at least once a year), FMC should meet with the contractor and, if necessary, create\n       findings on the POA&M. A document/memo should be created each time that oversight\n       is performed.\n   15. Monitor security control compliance by external service providers and maintain an\n       inventory of the following items:\n\n           \xe2\x80\xa2  The number of contractor systems that service FMC by FIPS 199 category\n           \xe2\x80\xa2  The number of contractor systems that service FMC by C&A status\n           \xe2\x80\xa2  The number contractor systems that service FMC by whether annual testing\n              occurred\n          \xe2\x80\xa2 The number of contractor systems that service FMC by whether a tested\n              contingency plan exists\n          \xe2\x80\xa2 The number of agency-owned and contractor systems that service FMC assessed\n              at e-authentication levels 3 or 4\n   16. Maintain Authority to Operate (ATO) letters, Interconnection Security Agreements\n       (ISA), and Memoranda of Understanding (MOU) between FMC and external service\n       providers.\n\nNotification of Finding # 8: Configuration Management documentation and\npractices are not adequate.\n\nAn information system is typically in a constant state of change in response to new or enhanced\nhardware and software capability, patches for correcting errors to existing components, new\nsecurity threats, and changing business functions, etc. Implementing information system changes\nalmost always results in some adjustment to the system baseline configuration. To ensure that the\nrequired adjustments to the system configuration do not adversely affect the information system\nsecurity, a well-defined security configuration management process is needed.\n\n\n\n\n                                                19                                             December 6, 2010\n\x0c                                                          Independent Evaluation of FMC Information Security Program\n\n\n\n\nConfiguration Management comprises a collection of activities focused on establishing and\nmaintaining the integrity of products and systems, through control of the processes for\ninitializing, changing, and monitoring the configurations of those products and systems. The\npractice of configuration management is implemented through the establishment of the baseline\nconfiguration.\n\nThe configuration of an information system and its components has a direct impact on the\nsecurity posture (i.e., the ability to protect the confidentiality, integrity, and availability of\ninformation stored, processed, or transmitted) of the system. How those configurations are\nestablished and maintained requires a disciplined approach for providing adequate security.\n\nFISMA requires agencies to establish \xe2\x80\x9cminimally acceptable system configuration requirements\xe2\x80\x9d\nwithin their information security program, and NIST SP 800-53 defines a set of security controls\nwhich support this requirement.\n\nNIST SP 800-53 rev. 3, Recommended Security Controls for Federal Information Systems\nand Organizations, dated August 2009 states that organizations shall:\n\n    o Develop, disseminate and revive/update at an organization-defined frequency:\n            a. A formal, documented configuration management policy that addresses\n              purpose, scope, roles, responsibilities, management commitment, coordination\n              among organizational entities, and compliance; and\n            b. Formal, documented procedures to facilitate the implementation of the\n              configuration management policy and associated configuration management\n              controls.\n\n    o Develop, document, and maintain under configuration control, a current baseline\n      configuration of the information systems.\n    o Determine the types of changes to the information system that are configuration\n      controlled;\n    o Approve configuration-controlled changes to the system with explicit consideration for\n      security impact analyses;\n    o Document approved configuration-controlled changes to the system;\n    o Retain and review records of configuration-controlled changes to the system;\n    o Audit activities associated with configuration-controlled changes to the system; and\n    o Coordinate and provide oversight for configuration change control activities through an\n      organization-defined configuration change control element (e.g., committee, board) that\n      convenes at an: organization-defined frequency to discuss organization-defined\n      configuration change conditions.\n\nIn addition, NIST requires agencies to:\n\n    o Analyze changes to the information system to determine potential security impacts prior\n      to change implementation.\n    o Define, document, approve and enforce physical and logical access restrictions\n      associated with changes to the information system.\n\n\n\n                                                   20                                             December 6, 2010\n\x0c                                                         Independent Evaluation of FMC Information Security Program\n\n\n\n\n    o Establish and document mandatory configuration settings for information technology\n      products employed within the information system using organization-defined security\n      configuration checklists that reflect the most restrictive mode consistent with operational\n      requirements;\n    o Implement the configuration settings;\n    o Identify, document, and approve exceptions from the mandatory configuration settings\n      for individual components within the information system based on explicit operational\n      requirements; and\n    o Monitor and control changes to the configuration settings in accordance with\n      organizational policies and procedures.\n    o Configure the information system to provide only essential capabilities that specifically\n      prohibits or restricts the use of organization-defined prohibited or restricted functions,\n      ports, protocols, and/or services.\n    o Develop, document, and implement a configuration management plan for the\n      information system that:\n\n           a. Addresses roles, responsibilities, and configuration management processes and\n              procedures;\n           b. Defines the configuration items for the information system and when in the\n              system development life cycle the configuration items are placed under\n              configuration management; and\n           c. Establishes the means for identifying configuration items throughout the system\n              development life cycle and a process for managing the configuration of the\n              configuration items.\n\nNIST SP 800-37 Guide for the Security Certification and Accreditation of Federal\nInformation Systems dated May 2004, identifies configuration management and configuration\ncontrol processes as part of a critical aspect of the security certification and accreditation process\nduring the post-accreditation period involving the continuous monitoring of security controls in\nthe information system over time. The guidance goes on to state that it is important to document\nthe proposed or actual changes to the information system and to subsequently determine the\nimpact of those proposed or actual changes on the security of the system.\n\nNIST SP 800-70 Security Configuration Checklists Program For IT Products Guidance for\nChecklists Users and Developer dated May 2005, provides approved security configuration\nchecklists for a variety of operating systems, web browsers, firewalls, antivirus software, and\nproductivity tools.\n\nThe OIT provided a Configuration Management Policy, dated May 16, 2007. The evaluation\nteam noted that the policy requires a baseline configuration, change control and testing when\nchanging the baseline configuration. All FMC servers utilize a Server Build Document when\nconfiguring the servers and uses the Group Policy Objects and Desktop Authority scripts on the\n\xe2\x80\x9cghost\xe2\x80\x9d image; all other configuration management is performed according to an undocumented\nprocess. Additionally, the ISSO explained that additional thumb drive restriction policies had\nbeen implemented through ScriptLogic. The senior network engineer applies software patches in\na timely and secure manner in accordance with Patch Management Policy OIT-P12.\n\n\n\n                                                  21                                             December 6, 2010\n\x0c                                                       Independent Evaluation of FMC Information Security Program\n\n\n\n\nThe review determined that FMC has created a Configuration Management Policy, implemented\nthe Federal Desktop Core Configuration for its workstations, and created a \xe2\x80\x9cserver build\nchecklist.\xe2\x80\x9d However, a baseline configuration for the FMC Network and deviations from the\nbaselines are not documented.\n\nAdditionally, the GSS and SERVCON Technical Architecture documents did not address\nsecurity controls in sufficient detail. Specifically, NIST requires that information should be\nprovided on security baselines to be used, frequency of security baseline updates and steps to\nensure security baselines are being followed. The following sections were found to be\nincomplete:\n\n   o   Portal requirements table;\n   o   User roles and groups tables;\n   o   Firewall configuration; and\n   o   Document sign off.\nFMC hired a contractor who worked during FY 2008 and FY 2009 to create its IT security\nprogram, however, the contractor was issued a \xe2\x80\x9cstop work order\xe2\x80\x9d after completion of the FMC\nNetwork and SERVCON C&A documentation. Through inspection of the documentation and\ninterviews with OIT staff, the OIG determined that OIT staff has not allocated the necessary\nresources to create a fully-functional configuration management program.\n\nThe effect of not having a completed, up to date and detailed configuration management program\nis that baseline security settings do not exist for FMC systems. Without a baseline for servers and\ndocumented deviations, there could be confusion among individuals responsible for configuring\nor validating security settings as to whether security settings are in place and/or create a false\nsense of security. This could make the systems vulnerable to hacking, computer viruses, and\nother exploits.\n\nRecommendations\n\nThese conditions have existed over the past two (2) FISMA engagements. Therefore, we are\nrepeating the recommendations from the prior FISMA review. We recommend OIT \xe2\x80\x93\n\n   17. Complete the SERVCON and GSS configuration management documentation to include\n       the sections missing, as identified in the condition section, above. Additionally, confirm\n       that the SERVCON and future configuration management plans address the following\n       sections, in accordance with NIST SP 800-53 Revision 3:\n\n               \xe2\x80\xa2   Security control, port and firewall settings\n               \xe2\x80\xa2   Allowable and non-allowable services\n               \xe2\x80\xa2   Hardware and software requirements\n               \xe2\x80\xa2   Patches and service packs\n               \xe2\x80\xa2   Establish system and application baselines and document the deviations from\n                   the baselines.\n\n\n\n                                                22                                             December 6, 2010\n\x0c                                                Independent Evaluation of FMC Information Security Program\n\n\n\n\n18. Implement the NIST National Checklist Program for FMC servers and utilize a Security\n    Content Automation Protocol (SCAP) scanner to verify NIST baseline security\n    configurations for servers. Additionally, document any deviations from the baseline\n    security configurations along with the reasons.\n\n\n\n\n                                          23                                            December 6, 2010\n\x0cUNITED STATES GOVERNMENT                                     FEDERAL MARITIME COMMISSION\n\n\nMemorandum\n\nTO             :       Office of the Inspector General               DATE: December 9, 2010\n\n\nFROM           :       Chief Information Officer\n\n\nSUBJECT        :       Responses to FY 2010 FISMA Notification of Findings\n\n     I have reviewed the findings and recommendations in the instant Review. Below are our\ncomments regarding corrective actions which will be effected to address the recommendations.\n\n                                            Finding 1\n\nRecommendation 1: Formally document plans for Form-1 and Form-18 system replacements that\nincludes but is not limited to explicit migration milestones and timelines.\n\nResponse: Management is reassessing Form-1 and Form-18 system replacements. At the\nappropriate time, plans that include milestones and timelines will be developed. Various factors,\nincluding new policies and procedures, combined with contractual and funding impediments, have\ndelayed progress. An update on agency progress for this recommendation will be provided at the end\nof the third quarter of FY 2011.\n\n                                            Finding 2\n\nRecommendation 2: Clearly identify the Certifying Agency, Designated Approving Authority, and\nsystem owner in the security plans and C&A documentation in accordance with NIST SP 800-37 as\namended.\n\nResponse: Evidence satisfying this recommendation was provided at a meeting on October 26, 2010\nwith the Inspector General, the Chief Information Officer, the Director of the Office of Information\nTechnology, the Information Systems Security Officer, and the contracted auditors from Richard S.\nCarson & Associates. Evidence is again provided in the accompanying CD. Corrective action under\nthis recommendation is considered completed.\n\n\nRecommendation 3: Conduct complete risk assessments on accredited FMC systems (FMC\nNetwork and SERVCON). Define accreditation boundaries. Ensure that risk assessments are\ncomplete in accordance with NIST SP 800-30 as amended.\n\nResponse: Evidence satisfying this recommendation was provided at a meeting on October 26,\n2010 with the Inspector General, the Chief Information Officer, the Director of the Office of\n\x0cInformation Technology, the Information Systems Security Officer, and the contracted auditors.\nEvidence is again provided in the accompanying CD. Corrective action under this\nrecommendation is considered completed.\n\n\nRecommendation 4: Conduct control assessments in accordance with FIPS 200, NIST SP 800-53 as\namended, and NIST SP 800-37 as amended.\n\nResponse: Management concurs, and advice concerning control assessments will be provided by the\nend of the third quarter of FY 2011.\n\n\nRecommendation 5: Complete the Authority to Operate letters with the correct information and\ntitles.\n\nResponse: Evidence satisfying this recommendation was provided at a meeting on October 26, 2010\nwith the Inspector General, the Chief Information Officer, the Director of the Office of Information\nTechnology, the Information Systems Security Officer, and the contracted auditors. Evidence is again\nprovided in the accompanying CD. Corrective action under this recommendation is considered\ncompleted.\n\n\nRecommendation 6: Correct the e-authentication risk assessment for SERVCON. SERVCON\nrequires Level 4 authentication.\n\nResponse: Management will reevaluate whether raising the risk level for SERVCON is warranted.\nAdvice concerning this recommendation will be provided by the end of the third quarter of FY 2011.\n\n\n                                             Finding 3\n\nRecommendation 7: As recommended in FY 09, develop a POA&M process for systems that will\nbe retained, complete the POA&Ms in accordance with current OMB and NIST guidance, and\nmaintain evidence of the closure of each item.\n\nResponse: Evidence satisfying this recommendation was provided at a meeting on October 26, 2010\nwith the Inspector General, the Chief Information Officer, the Director of the Office of Information\nTechnology, the Information Systems Security Officer, and the contracted auditors. Evidence is again\nprovided in the accompanying CD. Corrective action under this recommendation is considered\ncompleted.\n\n                                             Finding 4\n\nRecommendation 8: Review and implement FMC\xe2\x80\x99s policies and procedures (and, if determined\nnecessary, hardware and/or software) for the ISSO to monitor the actions of all FMC Network user\n[sic], and privileged (super user) accounts such as the top tier Domain Administrator Account and the\nadministrator accounts under the Domain Administrator Group.\n\n\n\n                                                 2\n\x0cResponse: Management will review its current policies and, if necessary, will take appropriate\naction to develop revised written procedures by the end of FY 2011.\n\n\nRecommendation 9: The FMC Network Domain Administrator user account should be changed in\naccordance with FMC password policy, and physically secured to restrict its access. The CIO or his\ndesignated representative should control the access and use of the password so that this password is\nonly made available for authorized and documented network changes and/or emergencies. This\nwould ensure accountability and avid any potential for a single point of failure. The process for\nhandling the FMC Domain Administrator account should be documented.\n\nResponse: Management does not agree with this opinion, and is in the process of formulating\npolicies and written procedures for the use and monitoring of the Domain Administrator account.\nManagement\xe2\x80\x99s decision concerning this recommendation will be provided by the end of the third\nquarter of FY 2011.\n\n\nRecommendation 10: If regular Domain Administrator Account use is deemed necessary without\nemploying the recommended procedures or other means that effectively enforces user accountability,\nFMC should: (a) Document the reason for this need; (b) Perform a risk assessment in accordance\nwith NIST SP 800-30 to determine the level of risk associated with this practice; (c) Develop a stand-\na-lone [sic] document, or update the FMC LAN system security plan to reflect the acceptance of risk;\nand (d) The designated approval authority for the FMC LAN should accept responsibility for the risk\nassociated with this practice in writing.\n\nResponse: Management is in the process of formulating policies and written procedures for the use\nand monitoring of the Domain Administrator account. Management\xe2\x80\x99s decision concerning this\nrecommendation will be provided by the end of the third quarter of FY 2011.\n\n\n                                             Finding 5\n\nRecommendation 11: Develop a contingency plan policy and procedures that address the creation,\nreview, testing, and maintenance of contingency plans. Test contingency plans and document results\nin accordance with NIST SP 800-34 and NIST SP 800-53.\n\nResponse: As noted by the auditors, contingency plans have been developed for the FMC\xe2\x80\x99s systems\nthat have been certified and accredited. Management will continue to improve and refine its\ncontingency plan testing procedures.\n\n\n                                             Finding 6\n\nRecommendation 12: Complete and maintain an official system inventory of all FMC systems and\ninterfaces.\n\nResponse: Evidence satisfying this recommendation was provided at a meeting on October 26, 2010\nwith the Inspector General, the Chief Information Officer, the Director of the Office of Information\nTechnology, the Information Systems Security Officer, and the contracted auditors. Evidence is again\n\n                                                  3\n\x0cprovided in the accompanying CD. Corrective action under this recommendation is considered\ncompleted.\n\n\nRecommendation 13: Organize the FMC inventory in a hierarchal fashion (i.e., which systems are\nsubordinate to the GSS).\n\nResponse: Management disagrees with this recommendation, and has determined that the FMC\ninventory is satisfactory. Corrective action under this recommendation is considered completed.\n\n\n                                             Finding 7\n\nRecommendation 14: Define and document policies and procedures for an oversight methodology\nof external information system services with contractors. At the defined frequency for this process\n(at least once a year), FMC should meet with the contractor and, if necessary, create findings on the\nPOA&M. A document/memo should be created each time that oversight is performed.\n\nResponse: Management agrees with this recommendation and will document our current procedure\nto contact contractors yearly for their C&A status, which will satisfy the need to provide external\ninformation systems oversight. Updated advice concerning this recommendation will be provided by\nthe end of the third quarter of FY 2011.\n\n\nRecommendation 15: Monitor security control compliance by external service providers and\nmaintain an inventory of (1) the number of contractor systems that service FMC by FIPS 199\ncategory; (2) the number of contractor systems that service FMC by Certification and Accreditation\nstatus; (3) the number of contractor systems that service FMC by whether annual testing occurred;\n(4) the number of contractor systems that service FMC by whether a tested contingency plan exists;\nand (5) the number of agency-owned and contractor systems that service FMC assessed at e-\nauthentication levels 3 or 4.\n\nResponse: Management disagrees with this recommendation and has concluded that receipt of the\nC&A letter from the contracted agencies is sufficient evidence of monitoring their security control\ncompliance. Corrective action under this recommendation is considered completed.\n\n\nRecommendation 16: Maintain Authority to Operate (ATO) letters, Interconnection Security\nAgreements (ISA), and Memoranda of Understanding (MOU) between FMC and external service\nproviders.\n\nResponse: Evidence satisfying this recommendation was provided at a meeting on October 26, 2010\nwith the Inspector General, the Chief Information Officer, the Director of the Office of Information\nTechnology, the Information Systems Security Officer, and the contracted auditors. Evidence is\nagain provided in the accompanying CD. Corrective action under this recommendation is\nconsidered completed.\n\n\n\n\n                                                 4\n\x0c                                            Finding 8\n\nRecommendation 17:           Complete the SERVCON and GSS configuration management\ndocumentation to include the sections missing, as identified in the condition section. Additionally,\nconfirm that the SERVCON and future configuration management plans address the following\nsections, in accordance with NIST SP 800-53 Revision 3: (1) security control, port and firewall\nsettings; (2) allowable and non-allowable services; (3) hardware and software requirements;\n(4) patches and service packs; and (5) establish system and application baselines and document the\ndeviations from the baselines.\n\nResponse: Management is in the process of developing new configuration management framework,\nwhich will include the outlined recommendation. Updated information will be provided by the end\nof the third quarter of FY 2011.\n\n\nRecommendation 18: Implement the NIST National Checklist Program for FMC servers and utilize\na Security Content Automation Protocol (SCAP) scanner to verify NIST baseline security\nconfigurations for servers. Additionally, document any deviations from the baseline security\nconfigurations along with the reasons.\n\nResponse: The FMC will apply the Federal Server Core Configuration security settings to our\nservers. Any deviations will be documented. Results will be provided by the end of the third\nquarter of FY 2011.\n\n\n\n                                              Anthony Haywood\n                                              Chief Information Officer\n\n\nAttachment (CD)\n\ncc:    Managing Director/Audit Follow-up Official\n       Director, Office of Information Technology\n\n\n\n\n                                                 5\n\x0c"